Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

ChicagoVPS hacked, bunch of VPS customers offline - Page 6
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

ChicagoVPS hacked, bunch of VPS customers offline

13468916

Comments

  • rds100rds100 Member

    @soluslabs I haven't done a solusvm master installation in a very long time, but IIRC the API user/key is automatically generated and looks random. What random generator function is used for this? How is the random generator seeded at that point?

  • soluslabssoluslabs Member

    @rds100 We use our own function for that. It's based around the installs unique key.

  • rds100rds100 Member
    edited November 2012

    @soluslabs said: @rds100 We use our own function for that. It's based around the installs unique key.

    Thanks. Sounds reasonable.
    And how is the install's unique key generated, what random function is used there and how is it seeded?

  • SnickertasticSnickertastic Member

    Jack seems to be on the money there.. I bet that could be pain in the butt to restore..

  • soluslabssoluslabs Member

    @apollo15 I can't really answer that question. I can think of many things it could be but that's just speculation and we don't want to start anymore rumours!

  • eastoncheastonch Member

    So.... @soluslabs is saying there's nothing to worry about as of yet; CVPS wont reveal details... Publicity Stunt clearly! I bet one Chris just laid on his desk and button smashed until he found the squence for rm -r /;)

  • apollo15apollo15 Member

    ChicagoVPS is definitely something hiding. First post is was brute-force, then something to do with Lighttpd, nothing reported to Soluslabs and so on. If there was an exploit much bigger players would be affected, not just Chris.

  • Ash_HawkridgeAsh_Hawkridge Member

    @apollo15 said: ChicagoVPS is definitely something hiding. First post is was brute-force, then something to do with Lighttpd, nothing reported to Soluslabs and so on. If there was an exploit much bigger players would be affected, not just Chris.

    What do you mean Chris is the big player.

  • eastoncheastonch Member 
    CVPS_Chris 4:21AM Flag
Member
KuJoe said: If there is an exploit in SolusVM, Lighttpd won't let them access it.

It had to do with Lighttpd

    He's confirming it had something to do with Lighttpd here right? Or am i reading this wrong?

    @apollo15

  • TazTaz Member

    Kujoe said, if it has to something with API access, block it using lighty config so none but white listed IP can access it while we try to figure out what s going wrong. May be it's chris e-pen that got fat instead of long?

  • Ash_HawkridgeAsh_Hawkridge Member

    @Jack said: Let's all calm down until Chris gets up remember he must of been awake for quite sometime yesterday.

    Awww

  • Ash_HawkridgeAsh_Hawkridge Member

    @Jack said: Shut it pothead ;)

    Ouch, hit me where it hurts :\

  • miTgiBmiTgiB Member

    @GetKVM_Ash said: Awww

    You need to regulate your trolling

  • Ash_HawkridgeAsh_Hawkridge Member

    @miTgiB said: You need to regulate your trolling

    Trolls know not of regulation. On a serious note, point taken.

  • jarjar Patron Provider, Top Host, Veteran

    Giving them the benefit of the doubt on this until we know more. I think we'd all like that courtesy extended to us in the same situation. I'm sure there's good reason they haven't sat down to write an article yet.

  • TazTaz Member

    But the question remains, who is that "other" provider?

  • apollo15apollo15 Member

    well I guess we will know everyone once Chris or Jeremiah once wake up. Let's give them a deserved rest now ;)

  • 24khost24khost Member

    Is Chris dead? Cause he can sleep then.

  • Ash_HawkridgeAsh_Hawkridge Member

    @24khost said: Is Chris dead? Cause he can sleep then.

    LMFAO You would have earned a lot of thanks from me today, but unfortunately there's an exploit in that module as well!

  • joepie91joepie91 Member, Patron Provider

    @eastonch said: @Taz by the sounds of it it was an API hack; so the lighttpd web server may not be restricting certain IP's etc; or some exploit to get around a .htaccess or something like that.

    And that is why you do not rely on webserver configuration and add a simple check in your software itself.

    @rds100 said: WTF is EOR, it's the first time i hear this name.

    End Of Reality, I'd assume.

    @soluslabs said: There is no chance of an SQL on verification of the submitted API details because all the Active API users are retrieved from the database before the details are compared. This authentication system was introduced in early 2011.

    Wait - does this mean you are not using PDO? If you were using PDO, SQL injection would not even be a possibility, so there would be no reason to pre-fetch all API users. Not to mention that it's very bad practice to move database operations (selecting rows) to your application code.

    @soluslabs said: @rds100 We use our own function for that. It's based around the installs unique key.

    This is bad. Very very bad. You should not be rolling your own security unless you are an experienced cryptographer that has had his implementations peer-reviewed. Especially deriving it from some other bit of data is a big no-no - it only weakens your security.

  • Nick_ANick_A Member, Top Host, Host Rep

    @Damian said: Not everyone is sunshine and rainbows and puppy dogs

    :blah:

    ;)

  • joepie91joepie91 Member, Patron Provider

    /me pings @soluslabs about the above post

  • jarjar Patron Provider, Top Host, Veteran

    @joepie91 Sounds like you need to update your resume and give them a ring ;)

  • joepie91joepie91 Member, Patron Provider
    edited November 2012

    @jarland said: @joepie91 Sounds like you need to update your resume and give them a ring ;)

    A paid, proprietary and closed-source, ioncube-encoded panel with seemingly horrible code practices is the last thing I would want to work on.

    EDIT: With probably a non-competition clause thrown in for good measure.

  • vldvld Member
    edited November 2012

    Just a quick reminder on SolusVM's recent security history:

    http://safeornot.net/advisories/solusvm-01
    http://safeornot.net/advisories/solusvm-02

  • rds100rds100 Member

    @joepie91 I did some research on their procedures for generating the random install keys and such - seems they are using perl for this, for example:

    perl -le 'print map+(A..Z,a..z,0..9)[rand 62],0..25'

    Perl internally seeds i it's rand() function via /dev/urandom, unfortunately it only reads 4 bytes of data from there, so it's maximum 32 bits of randomness. Still not too bad, at least they are not using time() for seeding, which would make it easily predictable.

  • LeeLee Veteran
    edited November 2012

    It seems odd though that if this affected about 1000 Vps's that there is not many "WTF, why is my VPS down" or "OMG, CVPS sucks" type threads or customers posting on those that have been created.

    I know not every customer will visit WHT or LET but I was expecting to see more upset folks about.

  • ShardHostSarahShardHostSarah Member

    1000 VPS across 10 nodes. Big nodes?

  • TazTaz Member

    Maybe because it is not 24 hour yet and a lot of falks are still either sleeping or busy with their job and do not have active monitoring....

  • SpencerSpencer Member

    Or because 99% of them are sitting idle.

This discussion has been closed.